Nine Major Ways Criminals Use Facebook

By Mike Sauter

Published May 17, 2012

24/7 Wall St.

This Friday, Facebook will go public in one of the most anticipated IPOs in history. With more than 900 million users, Mark Zuckerberg’s expanding social media empire has become a seemingly irreplaceable part of the online experience. Unfortunately, a byproduct of its success is that millions of Americans are far more exposed to a number of cyber crimes that also teem on the site.

To be sure, cyber crimes have been occurring for some time, but the presence of social media has made many crimes much easier to commit. In social networks people make “friends” without knowing the person and make personal information easily available. And none of the networks present more opportunity to criminals than Facebook and its hundreds of millions of users. With this in mind, 24/7 Wall St. looked at some of the most common ways criminals use Facebook.

Internet security analysts warn that Facebook is a hotbed for online crime. According to an infographic published earlier this year by ZoneAlarm, a leading Internet security software provider, “roughly 4 million Facebook users experience spam on a daily basis, 20% of Facebook users have been exposed to malware,” and Facebook receives 600,000 reports of hijacked log-ins every day.

Facebook knows that there is a problem. Earlier this year, the social media giant began working with the U.S. Attorney General’s office to try to combat linkjacking, a new form of account hacking and spam that is more or less unique to Facebook. Through various kinds of identity theft, linkjacking spammers send messages containing false ads or even viruses to the victims, pretending to be a Facebook friend.

Like linkjacking, malware represents yet another growing threat for Facebook users, Dr. Kent Seamons, assistant professor in the Computer Science Department at Brigham Young University, told 24/7 Wall St. “Hackers get malware on your machine and get tens if not hundreds of thousands of these machines under their control and then they rent them out to spammers and others,” Seamons explains. Renting Facebook accounts to spammers is one of the many ways that thieves monetize the personal information they steal. These rented accounts can then be used to advertise products illicitly or to request money from unsuspecting friends.

Ultimately, all social media sites make it easier for criminals to deceive their victims. According to a study published in Communications of ACM, a journal for computing professionals, the percentage of students that responded to a phishing email increased from 16% to 72% when the email included relevant social information about the target. For example, scams that make it appear that a message comes from a friend of the target make it more likely that the target will respond.

These are the nine ways criminals use Facebook.

1. Hacking Accounts

When criminals hack a Facebook account, they typically use one of several available “brute force” tools, Grayson Milbourne, Webroot’s Manager of Threat Research for North America, told 24/7 Wall St. in an interview. These tools cycle through a common password dictionary, and try commonly used names and dates, opposite hundreds of thousands of different email IDs. Once hacked, an account can be commandeered and used as a platform to deliver spam, or — more commonly — sold. Clandestine hacker forums are crawling with ads offering Facebook account IDs and passwords in exchange for money. In the cyber world, information is a valuable thing.

2. Commandeering Accounts

A more direct form of identity theft, commandeering occurs when the criminal logs on to an existing user account using an illegally obtained ID and password. Once they are online, they have the victim’s entire friend list at their disposal and a trusted cyber-identity. The impostor can use this identity for a variety of confidence schemes, including the popular, London scam in which the fraudster claims to be stranded overseas and in need of money to make it home. The London scam has a far-higher success rate on Facebook — and specifically on commandeered accounts — because there is a baseline of trust between the users and those on their friends list.

Profile cloning is the act of using unprotected images and information to create a Facebook account with the same name and details of an existing user. The cloner will then send friend requests to all of the victim’s contacts. These contacts will likely accept the cloner as a friend since the request appears to be from someone they’re familiar with. Once accepted, the crook has access to the target’s personal information, which they can use to clone other profiles or to commit fraud. As Grayson Milbourne puts it, “Exploiting a person’s account and posturing as that person is just another clever mechanism to use to extract information.” Perhaps what’s scariest about this kind of crime is its simplicity. Hacking acumen is unnecessary to clone a profile; the criminal simply needs a registered account.

4. Cross-Platform Profile Cloning

Cross-platform profile cloning is when the cyber criminal obtains information and images from Facebook and uses them to create false profiles on another social-networking site, or vice versa. The principle is similar to profile cloning, but this kind of fraud can give Facebook users a false sense of security because their profile is often cloned to a social platform that they might not use. The result is that this kind of fraud may also take longer to notice and remedy.

5. Phishing

Phishing on Facebook involves a hacker posing as a respected individual or organization and asking for personal data, usually via a wall post or direct message. Once clicked, the link infects the users’ computers with malware or directs them to a website that offers a compelling reason to divulge sensitive information. A classic example would be a site that congratulates the victims for having won $1,000 and prompts them to fill out a form that asks for a credit card and Social Security number. Such information can be used to perpetrate monetary and identity fraud. Grayson Milbourne of Webroot, also explained that spearphishing is becoming increasingly common, a practice that uses the same basic idea but targets users through their individual interests.

6. Fake Facebook

A common form of phishing is the fake Facebook scam. The scammers direct users via some sort of clickable enticement, to a spurious Facebook log-in page designed to look like the real thing. When the victims enter their usernames and passwords, they are collected in a database, which the scammer often will sell. Once scammers have purchased a user’s information, they can take advantage of their assumed identity through apps like Facebook Marketplace and buy and sell a laundry list of goods and services. Posing as a reputable user lets the scammer capitalize on the trust that person has earned by selling fake goods and services or promoting brands they have been paid to advertise.

In cases of affinity fraud, con artists assume the identity of individuals in order to earn the trust of those close to them. The criminal then exploits this trust by stealing money or information. Facebook facilitates this type of fraud because people on the site often end up having a number of “friends” they actually do not know personally and yet implicitly trust by dint of their Facebook connection. Criminals can infiltrate a person’s group of friends and then offer someone deals or investments that are part of a scheme. People can also assume an identity by infiltrating a person’s account and asking friends for money or sensitive information like a Social Security or credit card number.

8. Mining Unprotected Info

Few sites provide an easier source of basic personal information than Facebook. While it is possible to keep all personal information on Facebook private, users frequently reveal their emails, phone numbers, addresses, birth dates and other pieces of private data. As security experts and hackers know, this kind of information is often used as passwords or as answers to secret security questions. While the majority of unprotected information is mined for targeted advertising, it can be a means to more pernicious ends such as profile cloning and, ultimately, identity theft.

9. Spam

Not all spam — the mass sending of advertisements to users’ personal accounts — is against the law. However, the existence of Facebook and other social sites has allowed for a new kind of spam called clickjacking. The process of clickjacking, which is illegal, involves the hacking of a personal account using an advertisement for a viral video or article. Once the user clicks on this, the program sends an advertisement to the person’s friends through their account without their knowledge. This has become such an issue for the social media giant that earlier this year that the company has teamed up with the U.S. Attorney General to try to combat the issue.